This is a list of IT-Security resources with the main focus on hardening
(i.e. securing by configuration) of operating systems and applications.

Host security is painfull (i.e. you need to secure every host in your
enterprise, not only a single third party firewall product). Nevertheless it
is very important. Not only for exposed bastion hosts (internet servers),
but also for intranet servers and even workstations. There a a lot of good
reasons for securing every single host in your network to some extend. First
of all, most of your treats will come from insiders anyway, which have
unfiltered access to your local lan. In addition to that, you should design
your security layered, and design for failure. This means the security of
your servers themself is very often the last and only line of defense.

Resources

Generic and Background Information

[html]Reflections on Trusting Trust
This is a very classical text about trust in IT-Systems. This
article from <Ken Thompson> is quite important for all areas
of IT-Securtiy, but system hardening and host security most notable
benefits from the classical "trust no one" approach.

[html]Unofficial TEMPEST
Don't forget, that hardening of important systems does not stop
on the software configuration layer. The first step for sure is
physical securtiy. And once you start about having hard to crack
systware configurations, you should read this ressource to be
reminded how easy it might be to spy on you in the physical world.

[html]CERTs security improvement
Each CERT Security Improvement module addresses an important but
narrowly defined problem in network security. It provides guidance
to help organizations improve the security of their networked
computer systems.
The CERT security practices have been compiled in The
Book:
"The CERT Guide to System and Network Security Practices" published by Addison-Wesley.
Review anyone?

Linux/Unix system hardening

[html]Building a Bastion Host Using HP-UX 10/11
A bastion host is a computer system that is exposed to attack, and
may be a critical component in a network security system. Special attention
must be paid to these highly fortified hosts, both during initial
construction and ongoing operation. <Kevin Steves> a HP consultant
presents an up-to-date paper on the methodology for installing bastian
hosts.

[html]Securing a Unix Machine for Beginners
This small document describes a way to keep most of Unix' power and
flexibility, but to also reduce the maintenance burden by turning
off unneeded services.

[html]Armoring Solaris
One of <Lance Spitzner>'s security whitepapers from 2001.
Subtitle: preparing Solaris for a firewall. There is also a second
edition of this paper from 2002, specially for Solaris 8 64-bit and
Checkpoint Firewall-1 ([html])

[html]Armoring Linux
How to armor the Linux operating system. This article by Lance
Spitzner presents a systematic method to prepare your system for the
Internet. The article from 2000 is based on Redhat 6.0, but should
apply to most distributions of Linux.

[html]GG24-4433-00 Elements of Security: AIX 4.1
This redbook from IBM describes security-related elements of AIX for
system administrators.

[html]Securing Debian
This document describes the process of securing and hardening the
default Debian installation. It covers some of the common tasks to
set up a secure network environment using Debian GNU/Linux. It also
gives additional information on the security tools available as well
as the work done by the Debian security team.

[html]SuSE: Installation of a Secure Webserver
SuSE's own installation instruction for Internet exposed
Web Servers. A must if you dare to run a SuSE Linux Server with
Apache.

[html]Securing Internet Information Servers
Older document on how to secure public reachable applications on
Unix systems, including FTP, Gopher and older HTTP servers.

[html]CERIAS Hotlist: System Security / Unix
This is a link list maintained by The Center for Education and
Research in Information Assurance and Security at Purdue University.

[html]Securing & Optimizing Linux: The Ultimate Solution
This is a PDF of a Linux Hardening book.

[html]Setting up an hardened Debian Log Server
A PDF paper from Vince on
hardening a Debian server for the purpose of collecting logs in a
network. Note: I advise against using a self-compiled ssh, just
install the debian package. I also would prefer not to compile programs on
the target host, or use an inclomplete homebrown tripwire. Debian has a
nice package called integrit, instead. Also, a log server should offer
cryptografically secured logging.

[html]Unix Guru Universe
A lot of useful Links for Unix System Administrators.

[html]Computer Security Information
Features general information about computer security. Originally
designed by Jessica Kelley, maintained at the Center for Information
Technology, National Institutes of Health.

[html]Trusted Debian
This is not the only available secure Linux Distribution. Basically
this Link will be replaced with its own collection, including GRC, SELinux
etc.

[html]Debian Read-Only root filesystem
Running a system with read-only root enhances the stability of a
system for power outages and other unwanted unterruptions. It is
therefore a good configuration for routers or firewalls, which
do not show many reconfigurations. It is also a security feature
to avoid permanent changes to the system on intrusion. This Howto
details the steps needed to achieve this on Debian (by Thomas Mood).

Microsoft Windows related

[html]Building a Windows NT bastion host in practice
This paper by <Stefan Norberg> is now used as the base for the
Book:
"Securing Windows NT/2000 Servers for the Internet".
See the [html] ORA
catalog and book homepage for more info. This is realy a good choice
if you dare to use Windows systems connected to hostile networks.

[html]NT Security - Frequently Asked Questions
This collection of frequently asked questions with answers on
NT security issues is last updated in 1997. It contains a lot
of general and specific informations you need to know as a
NT admin.

[html]Windoes 2000 Security Configuration Document
Windows NT/200 Security Checklist that is designed to provide security
administrators with a method of configuring an installation based on
the agreed security risk profile of the target system. The security
configuration document divides recommendations into levels
"Premium", "Standard", and "Basic". <Leigh Purdie,
Intersectalliance>

[html]Terminate System Services = Beenden von Systemdiensten
Best (german) article on how to close all Windows 2000 and Windows
XP Ports. <Frank Kaune>

[html]Terminate System Services .bat
Based on the KSSystems manual, this site features batch files to do
the work automatically. Page is in german, .bat files are available
for XP and 2000. Thanks to <Torsten Mann>

[html]CERIAS Hotlist: System Security / Windows
This is a link list maintained by The Center for Education and
Research in Information Assurance and Security at Purdue University.

[html]Armoring NT
One of <Lance Spitzner>'s security whitepapers from 2000.
Subtitle: preparing NT for a firewall.

[html]Microsoft Security and Privacy
This site is provided by Microsoft, nevertheless it should be your
first stop while looking for up-to-date information on
security related topics for Windows systems and applications.

[html]Microsoft's Security Operations Guide for Windows 2000 Server
Microsoft Technet provides this guide for Windows 2000 admins
dealing with topics like patching, intrusion detection
and general hardening of the installation.